CVE-2026-44578
SSRF vulnerability in next (npm)
What is CVE-2026-44578 About?
Self-hosted applications using the built-in Node.js server are vulnerable to Server-Side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can compel the server to proxy requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata. This vulnerability requires specific WebSocket upgrade request crafting.
Affected Software
- next
- >=13.4.13, <15.5.16
- >=16.0.0, <16.2.5
Technical Details
The vulnerability affects self-hosted applications employing the built-in Node.js server within frameworks like Next.js, and stems from inadequate validation of WebSocket upgrade requests. An attacker can craft a malicious WebSocket upgrade request that, when processed by the server, bypasses existing safety checks usually applied to normal HTTP requests. This allows the attacker to trick the server into acting as a proxy, forwarding requests to arbitrary internal services or external targets. This SSRF vulnerability can expose sensitive internal infrastructure, such as internal APIs or cloud metadata endpoints, which could lead to further compromise. Vercel-hosted deployments are not affected, as they do not use this specific server configuration.
What is the Impact of CVE-2026-44578?
Successful exploitation may allow attackers to interact with internal services or cloud metadata endpoints, leading to information disclosure, unauthorized access to internal systems, or further network pivoting.
What is the Exploitability of CVE-2026-44578?
Exploitation involves crafting specific WebSocket upgrade requests. It is a remote attack and generally does not require authentication, though the target system must be exposed to an untrusted network. The complexity is moderate, requiring an understanding of WebSocket protocols and potential internal network structures. The primary risk factors include direct exposure of the origin server and the absence of reverse proxy protection that blocks upgrade requests or restricts egress. If WebSocket upgrades are not necessary for the application, blocking them at the edge is a strong mitigation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44578?
Available Upgrade Options
- next
- >=13.4.13, <15.5.16 → Upgrade to 15.5.16
- next
- >=16.0.0, <16.2.5 → Upgrade to 16.2.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-44578?
Similar Vulnerabilities: CVE-2023-46738 , CVE-2023-39834 , CVE-2023-29007 , CVE-2023-25135 , CVE-2022-42962
